GoDaddy discloses breach of 1.2M customer account details

GoDaddy disclosed a security breach that it says left more than 1 million customers of its hosted sites exposed to various levels of data theft.

The domain registrar and hosting provider broke the news via a U.S. Securities and Exchange Commission (SEC) filing early Monday, saying that on November 17 it uncovered an unauthorized login to its Managed WordPress hosting service.

A popular service for publishing blogs, news sites and business pages, WordPress is a content management system (CMS) that can be used on premises or as a cloud service. In the case of GoDaddy, the CMS is offered as a hosted, subscription-based service for GoDaddy customers.

According to GoDaddy, the company noticed some suspicious network activity last week in its Managed WordPress hosting environment. After a third-party forensics investigator was called in to look at the logs, law enforcement was also brought in and the activity was determined to be the result of a network breach.

It was soon found that the attacker had been enjoying access on the company's network for more than two months before the intrusion was detected. GoDaddy said the attacker used a compromised password to access the provisioning system in the company's legacy code base for Managed WordPress.

"Upon identifying this incident, we immediately blocked the unauthorized third party from our system," GoDaddy said in the SEC filing.

"Our investigation is ongoing, but we have determined that, beginning on September 6, 2021, the unauthorized third party used the vulnerability to gain access."

According to the filing, the pilfered data includes email addresses and customer numbers for roughly 1.2 million Managed WordPress customers.

Additional exposures will vary depending on user settings. For those who have not changed their passwords since having their WordPress accounts created, the administrator password was exposed; GoDaddy says it has since reset those passwords. Also exposed and now reset were secure FTP and database passwords for active customers.

Finally, GoDaddy said that for "a subset of active customers," SSL private keys were left out for the taking. The company is in the process of issuing new certificates for those customers.

GoDaddy would only blame the intrusion on a "vulnerability" that had been exploited by the attackers back in September. It's unclear whether this was a zero-day flaw, a known vulnerability that had not been patched or simply a configuration error; GoDaddy did not respond to a request for comment.

"We are sincerely sorry for this incident and the concern it causes for our customers," GoDaddy said.

"We, GoDaddy leadership and employees, take our responsibility to protect our customers' data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection."